I just did update to Koli and wondered about the new permissions I had to gave. When starting the gallery app the first time, I only could choose between to give permission completely or to deny it but there were many different points. I want to use the gallery but without giving permission for the internet. I don’t want the gallery to connect with the internet. Have I overseen something or does Sailfish now force one to give permissions which are not necessary? I thought this is what Sailfish stands for, privacy and not forcing people. Ofc I hope I have just overseen something but I couldn’t find anything yet to not give permission to the gallery for having access to the internet e. g…
What you describe is the expected way for SFOS applications - perhaps more fine tuned permissions will be allowed in the future, but we don’t know.
At any rate, don’t expect an application to function properly if you don’t give it all the permissions that it needs
As I understood - plz proof me wrong - is, that for now ONLY this app can access stuff, and not sytemwide like it used to be. I hope there will be improvements, too but it is a start.
Well, not exactly - if you run an application that doesn’t implement Sailjail (i.e., the Firejail implementation in Sailfish), then it will access whatever it wants system wide.
This highly depends on the implementation in Sailfish OS, and I believe that it is early days still.
Well, before the latest update Koli there was not even a permission/sandboxing system. So the gallery could access the Internet without permission (which is for photos in the (next)cloud I suppose).
So I would say it is a big improvement compared to prior versions, although there is still much space for polishing for sure (like giving only some permissions, like @gabrielg already mentioned).
Yeah, this is something that Android does (you can observe it in the devices that support Android 8/9), but denying permissions to a program is always tricky. Whatsapp will not function without slurping your contacts - it will pretend to have a connection timeout, so the value of selectively giving permissions is relative.
All programs should function like the browser and ask you if e.g., you wish you share your location with a specific website.
How I understood it (and I’ve had a proof-of-concept working SailJail implementation for Whisperfish):
Pre 4.0, we had “privileged” apps and “unprivileged” apps. A privileged app could get access to certain directories that the other apps could not. In theory you could request multiple permissions (contacts, pictures, …), but in practice this was just boolean: either you got all “permissions” or you didn’t get any. It has been a work-in-progress since SailfishOS 1.0, without a lot of progress.
Since 4.0, this is completely overhauled, with a totally different system, based on FireJail. In FireJail, applications are confined to a jail, and they can only access data that’s inside the jail (not unlike chroot). “Permissions” are here implemented as access right within this jail: if you get the contacts permission, your jail will get a mounted contacts directory and database. If you get the notification permission, the DBus filter will let notifications pass through.
For me it is currently unclear how an application could get permissions in a dynamic way, at runtime (which is something I’d like to have in Whisperfish), but I think this is something that Jolla does want to figure out eventually. Giving optional permissions at start-up time should be “doable”, because the list of permissions are sourced from the
.desktop file, and they could get marked as optional.
As a personal note, I think Jolla is going the right direction here, I found it relatively intuitive to figure out how to get Whisperfish inside the jail, and that was without a lot of documentation. FireJail sounds like a good choice to base things on, although I’d love to read a comparison with e.g. AppArmor and SELinux.
Note that in Koli, 4.0, both permission systems still exist, mostly because of backwards compatibility.
Preinstalled system apps do whatever they want, no way to avoid that. In general: Android is a system that bypasses as many linux security measures as possible with trivial sounding names to the user.